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DECLARATION OF MARK TQWNSENP PURSUANT TO 37 CFR§ 

Dear Sir: 

In support of my claim of prior invention of the invention described in the referenced 
application in vievf of the Sung et al. referoice cited in the June 29, 2007, office action, I hereby 
declare as follows: 

1 . My name is Mark Townsend, I am an applicant and co-inventor of the invention described 
and claimed in the referenced patent application. 

2. In association with others, I conceived of the invention described in the application before 
April 14, 2003. Prior to January 2, 2003, 1 participated in discussions with one or more co- 
inventors regarding the implementation of the Distributed Intrusion Response System described in 
the Enterasys Invention Disclosure Form identified in the accompanying Declaration of Richard 
Graham. 

3. Initially, the group of people involved in the discussions, including myself, undertook the 
task of developing the invention described in the bivention Disclosure Form during any spare time 
available to us beyond time spent canying out our regular obligations to produce and market 
existing company products. As a result, vKt were not able to commit all of our time to continuous 
development of the invention. Nevertheless, we spent all available time diligently developing the 
invention. Our efforts included telephone conversations, e-mail exchanges, m-person meetings, 
tasking computer programmers to implement coding schemes, and reviewing code and evolving 
implementations of the invention. A copy of a represaitative first example of an e-mail exchange, 
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dated January 17, 2003, between myself and an Enterasys computer programmer I asked to provide 
programming services related to the development of the Distributed Intrusion Response System 
based on modifications to Enterasys' s existing Dragon Intrusion Detection System (Dragon) and 
Enterasys' s existing User Personal Network (UPN) network management system is attached hereto 
as Ddiibit A. 

4. Subsequent to January 1 1, 2003, 1 periodically communicated with one or more of ttie other 
co-inventors residing means available to us to implement the invention as contemplated. I also 
communicated with others of Enterasys v»4io I believed would be able to assist in the 
implementation through programming activities. One person I spoke with in particular, Andy 
Beats, was asked to explain the functioning of tfie Dragon and UPN operations and, in particular, 
we discussed means by which intrusion detection signals from the Dragon system could be trapped 
and transferred to the existing Enterasys network management system referred to as Atlas for the 
purpose of targeted network CTitry device modification. A copy of a second representative example 
of an e-mail exchange betweai myself and Mr. Beats, dated February 28, 2003, related to the 
implementation of the present invention is attached hereto as Exhibit B. 

5. Subsequent to February 28, 2003, as I and other inventors performed our primary functions 
with the company, we continued to discuss the implementation of the invention and identified two 
Enterasys programmers with experience working with the Dragon system, Salo Fajer and Tom 
May, able and with some time available, to assist in coding the conceived implementation of the 
invention. Over the course of a few weeks, generated initial coding used to carry out the intended 
function of the invention. A copy of the preliminary coding for that purpose that either or both of 
Mr. Fajer and Mr. May provided to me for my review and dated April 15, 2003, is attached hereto 
as Exhibit C. 

6. Subsequent to April 15, 2003, 1 worked with Mr. Fajer and Mr. May to complete the 
preliminary programming for the invention. A copy of a third example e-mail set generated over 
the period from May 1, 2003, to May 2, 2003, culminated in a statement by Mr. Fajer confirming 
his and Mr. May's efforts in the development of the programming for a demonstration model of 
the invention, all in response to internal discussions regarding improvements to network system 
security. A copy of that e-mail set is attached hereto as Exhibit D. Shortly thereafter, Mr. May 
and I discussed the generated computer program and certain features to be "tweaked." Mr. May 
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provided tne a copy of his notes taken at the time of our discussion, specifically on May 7, 2003. 
A copy of May's notes as provided to me is attached hereto as Exhibit E. 

7. Subsequent to May 7, 2003, over a period of several weeks during which all involved in the 
development of the invention continued to perform our regular duties for the company, Mr. May 
and Mr. Fajer, pursuant to my instructions and requests, made adjustments to the programming for 
the invention, until on or about July 28, 2007. On June 25, 2003, either or both of Mi-. May and 
Mr. Fajer presented to me a summary flow diagram they had generated after substantially 
completing the coding for the demonstration model of the invention to perform as intended. That 
summary flow diagram of June 25, 2003, is attached hereto as Exhibit F. 

8. Between June 25, 2003, and July 28, 2003, we completed fmal modifications to a working 
prototype of the invention. At that time, I began preparation of a PowerPomt® presentation for 
initiating interest in establishing the implementation of the invention as an official company 
development project. The simimary flow diagram of the invention operating as intended was 
included and shown to company management. I completed the presentation on or about July 28, 
2003. A copy of the presentation is attached hereto as Exhibit G. 

9. On or about August 4, 2003, 1 reviewed completed Perl script programming code 
representing the implementation of the invention in a compudng system. A copy of the code 
generated on or about August 4, 2003, is attached hereto as Exhibit H. I believe liiat the invention 
was opemtional for its intended purpose at least as of that date. 

10. On or about August 6, 2003, 1 demonstrated to a prospective customer the invention as 
implemented, hi the course of running an example of the invention on the Enterasys internal 
network system using the programming code of Exhibit H, I also showed to the prospective 
customer the presentation of Exhibit G. 

1 1 . Upon information and belief, the invention described in the referenced application was 
conceived at least as of Januaiy 2, 2003, and diligently reduced to practice no later than AugiKt 6, 
2003. 

12. I hereby declare that all statements made herein of my own knowledge are true and that all 
statements made on information and belief are believed to be true; and further that these statements 
were made with the knowledge that willful false statements and the like so made are punishable by 
fine or imprisonment, or both, under 18 USC 1001 and that such willful felse statements may 
jeopardize the validity of the application or any patent issued. 
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Mark Townsend, Applicant 
Date: y^/^<$7/C 
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8ent: 
To: 

Subject: 



Skowrond<, Kurt 

Friday, January 17, 2003 1:38 AM 
Townsend, Mark; Post, J^es 
RE: UPN/Dragon 



Jim and ! worked on this yesterday anernoon and ran up against a couple of Issues. 

The discovery script process would run the atiasgreb and statalias, we will nead to do t^'e in either windows or solans. So 
we were nSovIng down a path of having Dragon send a trap to console and console was going to Initiate the "discovery 
script' and policy set. Using Console 1 .1 Is doable but needs more time to futz with it because we'll need to rewrite the 
dragon's trap Into hp format so that it recognizable by the alami notification tool In Console. 

After doing some digging and prodding, I was able to get a OLD copy(circa 2000) of linux based Q tools. I will try to play 
wrfth them when I get achancs. If you know who can get us and updated linux tool set, this would make this script much 
easier to write and launch directly form Unux not involve the other mess, 

I don't expect to have anything to you next week though. I am just resetting any expectation thiat you may have or have 
committed to. 



I am extremely busy, trying to keep up with everything this month, t don't know why It Is this busy so early In the quarter 

but t am booked out through until Feb already. 

<KJS> 



From; Townsend, Maik 

Sent: Monday, Janiiaty 13, 2003 10:53 AM 

To; Post, James; Skowranek, Kurt 

Subject: UPl^Dragon 



Here's a ^mple slide regarding tftis morning's discussion. 

If you have any thoughts, I'm all ears! 

Thanks, 

-Mark 



« File: Proof-of'Concept.ppt » 

Mark D. Townsend 

Reg. DlrectCH- Systems Engineering 

Enterasys Networlcs 

50 MInuteman Road 

Andover,MA01S10 

Tel 978 684 1623 
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From: 
Sent: 
To: 

Subject: 



Townsend. Mark 

Friday, February 28, 2003 3:42 PM 
Beats, Andy 
thoughts 4 u 



Importance: 



High 



Andy, 



Dragon 6 has a SNMP modute on the sensor; you could have it, not alarm tool, send a SNMP trap to Atlas. I remember 
some of your old training from Durham - let's use the tools in NetSlght to set Potides for SNMP traps and take 
appropriate actions. I fig ured that would be old hat for you. . 

Just a thought 

-Mark 

Mark D. Townsend 
Enterasys Networks 
978 6841623 

— SNIP— 

Lab 6 (HIDS Active Response) is nowhere NEAR the point of STARTING development, because I will need elthw (1) to 
spend a couple of days with a development engineers Who can provide me with solid example PERL, scripts and How they 
can be used so that the field can benefit from the lab or (2) the Dragon Team will need to provide valid scripts and details 
on how to use th&m. The goal here is to have the HIDS detect an event and kick off a PERL script (wrapped 
module) which will "do something in response to the detected event". I need the team's advice on what tluit 
"something" might be, and an accompanying script that will accomplish fha deslrad "active response". 

Lab 7 (Alarmtoo! Active Response) has not even started develc^ment, as I do not want to use the suggested PERL scr^Jt 
mat adds an ACL to a CIsoo router. I thlr^ It would be much belter to modify the cument script (or (a-eate a new one) that 
adds an AO. to an Enteiasys product I have not had time to work on that, and coutd very much use the team's 
assistance in this regard. {Sam Stover Indicated that he can obtain a script which aeeompllshes this. If SanVs 
script is acceptable to the team, we'll put It Into produotion for a lab exercise and run wiBi it} 



EXHIBIT 



^.^^ ^ ^ 

FtaDB aatus Source Mdnss Dast. addraW^^'^^e Rsl. Tine Delta Tims/ tes. Tinie^ ' Suiuaty 

[10.10.1(1.2531 160 0!04!02.358. 0.006.402 (oim^ aiteq,rise.5624.1.Z.6,l.S.1.3.S enterpjise.S 



DlC: OLC Header 

raC: Frame 1196 arrived at 16:29:36.5051; lm» slie Is 160 {0K3 hra) bytes. 
IH£: Destination - StBtion Cbltrl9C02FO 
- Station D0034TBS4CBD 



IFj IP Header 

It; 

m Version - 4, header lengUi = 20 bytes 

IP; Type of service = 00 

IP: 000 = routine 

IP: ...0 .... = nomial ielay 
IP! .... 0... = noinal thcoughput 
IP: 0. , = noimal reilablUty 



IP: Total length = 1« bytes 



0. = ECT bit - transport protocol will Ignoia the CS bit / y I 



IP; identifieatioB = 36504 /J / „ . / 

IP: Flags » OX ^^.f-Q f^sf' D ' / 

IP: .0 = Tiiay fragment ^ ^ ' ^ — i . 

IP: ..0 » last frapant 3 ""V^ 

IP; Fragment offset = 0 bytes ^ 



J- 



IP: Tii»e to live = 128 seconds/hops 
. IP: Protocol - 17 (ODP) 



IP: Header chertsim - 82« iMirect) /.OJa / 

IP: Source address = [10.10.10.99], THftY-XPl / WK\ / / , /:> /V 

IP: Destination address ■ [10.10.10,253] .> <^'X- *■ ^ , I 

IP: «o options ^/-^ C ^' f<-^/^^^-^ 



- ODP Header - 
ODP: 



OOP: Source port ='1866 , — ^/^i/ 

BDP: Destination port = 161 jSNHF) / > ^/ i> ' 

Request ID =22112 \^ * ///" 

Brror statue - 0 (No error) Ji^^ iJt*^ 

SUMP: Irror Index -0 _ I 



DDP: Length 
UOF; Chedtsun = S8ZA (correct) 

ODP; [118 byte(s) of data] 
UDP: 

: Simple Hatifort 



SNHP: SNMP Version = 1 

SNHP; Cotmunity = pid>lic 

SHMPj Oomnaiid = Set request 

W&\ Request ID ° 22112 



' SMHP! Object - {1.3.6.l.4.1.S«24.L2,6.1.5.1.3.5} (enterpriBe.5624.1,2.6.1.5\.34) \ 7 tf 

WS: Value -h • ^ s j v T ■ 



SNHP: Object - (1.3.6.1.4.1,5624,1.2,6.1.5.1.4.51 (enterprlse.5624.1.2.6.1.5.1.4ii 
' SMMP: Value - 2 ^' 



5621.1.2;6.1.S.1.6J^ 



Frame Status Soucce Address Dest. AddressT^JIte Rel, Tine Delta Tisa Shj. Time Sumiarv 
.1197 (10.10,10.2531 mif-XPt 160 0:04:02,374 0.015.501 04/15/2003 04:29:36 PM SHMP: GetReply e«terprise.5624.1.2.fi.l,5,i.3.5 

J)LC: DlyC Header 

DlCi 

DLC: Fr^ 1197 arrived at 16:29:36.5206; frame size is 160 (0(UlO hex) bytes. 



DUi Destination - Station 000347B54(SD 
UK: Source » Station aitrlKOaPO 
DLC: Etheiti^ - 0800 (IP) . 

IP! 

IP: TMsion = 4, header length = 20 bytes 
IF: Type of snrvice > 00 

If! OdO = routine 

IP: ...0 ,,„ > nonial delay 
IP! .... 0... « nonwl throughput 
IP! 0.. " nomal reliability 

IP: 0. = or bit - transport protocol will ignore Che CE bit 

IP! 0 = CE bit - no congejtion 

. IP: Total length « 146 bytes 
IP: Identification = 666 
IP: Flags = OX 

If: .0 = may fragment 

IP: ..0 = last fragment 

IP: Fragment offset = 0 bytes 

IP: Tine to live ■= 255 aeconds/hops 

IP: Protocol = 17 (OOP) 

IP: Header ehedisimi = mo {correct) 

IP: Source address » flD,lQ.l0.2S3] 

IF: Destination address - (10.10.10.99]| mX-XBl 

IP: Bo options 

IP: 

UDP: — UDP Header 

HDP: 

DDP: aurce port » 161 (SMMP) 

UDP: Deatination port = 18€6 

UDP; length « 126 

UDP: SO checHsun 

UDP: im bytets) of datal 

DDP: 

SHHP: sliple NeworJt Hsnagenent Protocol (Version 1) 

SW: 

SHHP: SUMP Version « 1 
SNMP: CotmuJllty = public 
SmS: Comniand ° Get response 
SHHP: Request ID = 22112 
S^IHPi Error status ■ 0 (No error) 
£NKP: Error index 0 
SNHP: 

SHHP: Object = (1.3.6.1.4.1,5624.1.2.6.1.5.1.3.5) (enterprise.5«24.1.Z.6.1.S.1.3.51 

SHHP: Value =4 
. SNHP: 

S8HP: Obje<:t= 11.3.6.1.4.1.5634.1.2,6.1.5.1.2.5} (etiteqirisB.5624.1.2.6.1.5.1.2.5l 
- SHHP: Value = Test 
SNNP; 

SNHP: t&ject - 11.3.6.1.4,1.5624.1.2.6.1.5.1.4.5) (enteiprise.S624.1.2,6.1,5.1.4.5) 
' SNHP: Value - 2 

.SIfflP! ■ 

SKWP: Object - {1.3.6.1.4.1.5624.1.2.6.1.5.1.6.5} [enterprlse,5624.1.2.6.1.5.1.6.5) 



. Frane status Seorce Address Best. RdilSlr^Slse Rel. line Delta Tine Abs. Time Sunmary 

[1D.10.10.253J 133 0:04:02.378 0.904.483 04/15/2003 04:29:36 EM SSMP: Set ■ enterprise.5624.1.2,6,2,4.1.3.5,12, enterprise.! 

dm;: 

■ . DK! Frane IWff arrived at 16:29:36.S25l{ frame sh« is 133 .(0085 hex) bytes. 

DLC: Destination = Station CbltrlSC02FO 

niC: Source - Station 00fl347e54CBD 

DK: Sthertipe = OBOO (IP) ■ ■ 

mx - ' 

IP: - — IP Header 



IP! TjpB of SKvice " 00 

.- IP! 000 -routine 

IP: ...0 .... • noiniial delay 
IP; .... 0... - nomal througtijiut 
IF: 0.. = nnmil reliability 

IP! .... ..0. » BCT Mt - ttaiMport protocol will ignore the CE bit 

IPs 0 = Ct! bit - no congestion 

IP: Total lengHi » 119 bytes 
IP: Identification = 36505 
IP; nags = OX 

IP: .0 = Bay fragiient 

IP; ..0 = last fragiBtit 

IP; rrapent offset = 0 bytes 

IP: Tine to live » 128 seconds/hops 

IP: Protocol = 17 (DDF) 

IP: Header checksoit " B269 (correct) 

IP; Source address = (10.1(1.10.991, IHAMPl 

IF; Destination addiesa - [lD.10.10.2a3] 

IP: HO options 

IP: 

OOP: m Header 

OOP: 

OOP; Source port - 1866 

UDF: Destination port = 161 (SNHP) 

UDP; Length - 99 

OBP: Checksum « 25F7 (correct) 

OOP: {91 byte (3) of data) 

UOP: 

SHHP: Siii?)le Network Baragement Protocol (Version 1) 

sump; 

SIMP: SNHP Version - 1 
SWfP: Cormnity = public 
SNMP: Conenand = Set request 
SNHP: Request ID ■= 22113 
SNHP; Error status - 0 (No ei»r) 
SUMP: Error index = 0 



>: Object = a,3,6.1..«.1.5«24.1.2.6.2.1.1.J.i.l2) (eiiterprise.5621.1.2.6.2.4.1.2.5.12) 
»alu« ' 11.3.6.1.4.1.52,4.1.2.16.6.1.4.1,5.99.18.80.01 



Fraie Status Source Dddress Rest. Ad^MsSiM Rel. Use Delta Time Sbs. Time Sianaty 

BiJ"',— . rai^Mder ~~- ^^'^^^ 0:04:02.393 0.014.650 04/15/2003 04:29:35 fU SKHP: GetReply Bi.terprlse.5624.1.2.6.2.4.1.J.5.12; enterprise.? 

BK: 

DU:; fians 1199 arrived at 16:29:36,5397; frane sice is 133 <0085 hex) bytes. 

DiCi Destination - Station 0D0347B54CBD 

mCi ■Source = Station Cbltrl9C02M 

DLC: Etliertype " 0800 (IP) 

Mi 

': V 
'•■ I 

IP; 000 = routine 

IP: ...0 .... ■= nomal delay 
IP! . . . . 0. . . = nonrial throughput 
IF: 0.. ■ normal reliability 

If! 0. = ECT bit - transport protocol will ignore the CE bit 

IP: 0 " CB bit - no congestion 

IP: Total length - 119 bytes 
IP; Identification = 667 
IP: Flags , = OX 
IP: .0.. » may fragment 
IP; ,.0, .-,..= last ftagment 
IP; Kagment offset - 0 bytes 



IP: Time to live = 255 seconiis/hops 

IP: Protocol = 17 (flDP) 

IP: Ueader checksum ■ 8F67 (correct) 

IP: Source address = tlO.I0.10.2SJ| 

IP: Destination address • [10.16.10,93], Mf-XFl 

IP: NO options 

IP! 

DDP; UDP Header 

ODP; 

ODP: Source port = 161 (SUMP) 

DD?i Destination port <• 1866 

UDP: Iisngth ■ 9i 

ODP: Ho cbficksun 

ODP: (91 byte(s| of data] 

DDP: 

'SUMP: -™' Simple Hetnork Hanageneitt Protocol (Version 1) 

sm\ 

SBHPi SNMP Version = 1 
SHMP: CoisEjiunity = public 
SW; Comniand - Gst response 
SNHP: Request ID - 22113 
SSMP! Error status ■ 0 (Ho error) 
SNMP: Error index = 0 

mit 

SKMP; Object - (1,3,6.1.4.1,5624.1,2.6.2.4.1.3.5.12) (eDterprise,5624.1.2,6.2,4, 1,3,5.12) 

SMHP: Value - i 

SNHP; 

SNHP: Object - 11.3.6.1,4.1.5624.1.2.6.2.4.1.2,5.12} (enterprise.5624.1.2.6.2,4.1.2.5.i2) 

SHMP: Value = (1.3. 6.1,4.1, 52.4.1.2.16.6.1.4.1.5.g9.18.80.fl} 

3KHP: 



Btama Status Source Address Dest, Al^l^^^Wel. Tims Delta Tine Sbs, Tine ' SfflnHty 

1200 rOM-m [10.10.10.253] 90 0:01:02.400 0.006.832 04/15/2003 04:29:36 PM SHHP: J-et Ciibletron,4,l,2.14.7.J.1.0 - 

DliC: — — DLC Header 

BtC: FrsKiiB 1200 arrived at 16:29:36.5466; frane size is 90 (005R hex) bytes. 

DK: Destination = Station Chltrl9C02ro 

DK: Source " Station 0003I7B54CBD 

DIC: Etiiertype - 0800 (IP) 

DlC: 

IP; IP Header — - 

If: 

IP: Version = 4, tieader Isngth = 20 bytes 
IP: Typ.e of service = 00 

IP: 000 = routine 

IPi ...0 .... = nomal delay 
IP! . . . , 0. . , » npriiBl throughput 
IPi 0., = normal reliability 

JP; 0, ■« ECT bit - transport protocol Hill ignore the CE bit 

IP: 0 = CS bit - no congestion 

IP; Total length - 76 bytes 

IP; Identification = 36506 

IP! flags - OK 

IP; ,0 ■= nay fragnent 

IP: ,.0 - last fragment 

, IP: fragment offset = 0 bytes 

IP: ?iii!e to live = 128 seconds/hops 
• IP; Protocol - 17 (ODP) 

IP: Reader checksum = 8293 {ooriect} 

IP: Source address = (10.10.10.99), mt-XPl 

IP: Destination address » (10.10,10,253] 

IP: NO options 

IP: ' ■ . 

ODP: OOP Header 

UDPi 

DDP: Source port - » 1066 

UDP: Destination port - 161 (M) 

W: Lotgth > 56 

ODP! Checksun - 420C (coneot) 



DDF: [48 l^e(s] of data] 
ODP: 

>; Simple HetHork Kanagement Protocol (Vewlm 1) - 

SNHP: 

mt: SNHP Version = 1 
SHHP; Cownunity = public 
SHMP; COTmand = Set request 
SHHP; Request ID = 22111 
SfW; Error statgs = 0 (No error) 
SHHP: Error index - 0 



ttm Status Source Mdress Best. mS^T™"^^^!. Time Delta Tine Shs. Tlsis Sumary 

1201 [10.10.10.2531 MflY-m 90 0:04:02.407 0,007,496 04/1S/2003 04:23:36 fH SMHP: GetR^y Ci4>tetron.4.1.2.».7.l.l.O 

DlC; Die flwder 

PLC: 

Mt Frame 1201 arrived at 16:29:3$.5541j frame size Is 90 (OOJA hex} Mes. 

Die: Destination - Station 000347BS4CBD 

DLC: Source « Station Cbltn9C02ro 

DLC: Bthertype - O8O0 (IP) 

OK; 

IP; IP Header — 

IP: 

IP: Version = 4, header laigth = 20 bytes 

IP; Type of service = 00 

IP; 000, = routine 

IP: ...0 .... = notmal delay 

IP: .... 0... = nonal throughput 

IP: 0.. = normal reliability 

IP: 0. = ECT Mt - transport protocol «ill ignore the CE bit 

IP: 0 = CE bit - no congestion 

IP; Total length = 76 bytes 
IP: Identification = 668 
IP: Plaga - OX 

IP; .0 = may fragiRent 

IP: ..0 = last fragment 

IP; Fragment offset = 0 bytes 

IP; Tine to live = 25S seconds/hops 

IF: Protocol - 17 (ODP) 

IP: Header checksum » 8F51 (correct) 

JP: Source address = [10.10.10.253J . 

IP: Destination address - {10.10,10.99), THM-XPl 

IP; No options 



- ODP Header 



ODP: Source port " ISl [smt) 

OOP: Destination port = 1866 

ODP; Length = 56 

OOP: Ho checksum 

ODP; US byte(s) of data) 

ODP: 

SmSi Sinple Network Hanagenent Protocol (Version 1) ' - 

SNHP: 

SSMP: SMMP Version - 1 
SHKP; Coranunity ■> public 
SHOP; CwBMnd " Gat response 
' SNHP: Hequest ID - 22114 
SHHP: Enor status • 0 (Ho error) 
SNHP: Brwr index - 0 



Townsend, Mark 




From: 
Sent: 
To: 

Subject: 



Fajer, Salo 

Friday, May 02, 2003 11:30 AM 
Dragon Team 

RE: IPS future . . . and Enterasys UPN 



I agree that there is a synergy between UPN and Dragon that we could take advantage of in the IPS story. Tom May and 
I are building a demo to use Dragon events to automatically set UPN Policies. We would love to see us Integrate the 
existing tools we have to offer LAN based per port IPS! I know this has been discussed before, but imagine that Dragon 
sees a threat from an Internal IP. It launches a Compass search and identifies the port in the network of the offender. 
Based on a previously set policy, it sets that port into a "penalty box" role and alerts the network admin. Or In a more 
advanced mode, blocks just that tcp port (i.e. SQL Slammer) on the physical port or denies ICMP. We have the current 
tools and features. It just needs to be tied together. 

Unfortunately, the customer may purchase another vendor for the gateway device for now. However, we can actively 
secure the rest of the LAN. 

On a less ambitious level of integration, the new N series are soon supposed to be able to trap on a hit on a policy or 
track application level usage. We need to make sure that the Matrix team sends this information out (i.e. sysiog) In a 
method that Dragon can read. And, we need to make sure that we have a signature set to read this so that we at least 
merge UPN security events into Realtime. 

What do you all think? 



Original Message 

From: Beats, Andy 

Sent: Friday, May 02, 2003 8:16 AM 

To: Marsh, Todd; Savage, David; Lau, Ed; Hamilton, Jane; Fernandes, Cliff 
Cc: Dragon Team 

Subject: RE: IPS future ... and Enterasys UPN 
Impoitanoe: High 

Todd, I don't argue the point you made. But with all due respect, don't we (ETS) need to be out there convincing 
our customers ofwtiat tfiev need ? Sure, customers know their networks and they should be telling us what 
they need. But don't we have an opportunity to cajole, market, sell, etc. them on the Enterasys solutions? Hell, 
Cisco did it, ail the way to the number one spot. 

i understand IPS is a hot topic. But Dragon and UPN already exist, and have an extensive history to boot. With 
some savvy positioning, can't we elevate this solution in the customers' eyes? Shouldn't we break the paradigm 
that IPS is the end-all/be-all in this regard, and slide the ETS solutions in there at all possible opportunities to do 
so? 

Maybe ETS stock will continue its rise even faster. © 
My two cents . . . 



Thanks 
Salo 



-Andy 



— Original Message — 

From: Marsh, Todd 

Sent: Friday, May 02, 2003 6:20 AM 
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To: Beats, Andy; Savage, David; Lau, Ed; Hamilton, Jane; Femandes, Qlff 
Cc: Dragon Team 

Subject: RE: IPS future ... and Enterasys UPN 

In the summer time frame we will start to see some basic abilities in ourXpedition platform (e.g. the ability 
of the router to recognize that the flow set up rates are approaching a critical point and dynamically rate 
limit the line card that is causing the rise). 

The UPN Acceptable Use Policy is fine but it is not dynamic and that Is what customers are looking for. 

— Original i^essage — 
From: Beats, Andy 

Sent: Thursday, May 01, 2003 7:00 PM 

To: Savage, David; Lau, Ed; Hamilton, Jane; Femandes, Cttff 

Cc: Dragon Team 

Subject: RE: IPS future ... and Enterasys UPN 
Importance: High 

FoII<s, let's not omit the fact that our UPN strategy includes a "Threat iVIanagement" service. It's 
not exactly Intrusion Prevention, but it aligns our customers OUTSTANDINGLY WELL with the 
overall Enterasys security solution. 

— Original Message — 

From: Savage, David 

Sent: Thursday, May 01, 2003 5:34 PM 

To: Lau, Ed; Hamilton, Jane; Femandes, Cliff 

Cc: Dragon Team 

Subject: RE: IPS future 

I Mnk we should discuss this on our next Dragon Team call. 

— Original Message — 
From: Lau, Ed 

Sent: Thursday, May 01, 2003 4:14 PM 

To: Savage, David; Hamilton, Jane; Fernandas, Cliff 

Cc: Dragon Team 

Subject: RE: IPS future 

Well said - even if we can roadmap It, It would go a long way towards 
keeping/winning customers. 

Edward I^u 
Systems Engineer 
Enteras3fs Networks 
(212) 946-9279 
(212) 643-9587 Fax 

— Original Message — 

From: Savage, David 

Sent: Thursday, May 01, 2003 3:22 PM 

To: Hamiiton, Jane; Fernandes, Cliff 

Cc: Dragon Team 

Subject: RE: IPS future 

I think we need to look at today. Our competitors are starting to eat 
away at us vAVn their N IDS IPS stories. 
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— Original Message — 

From: Hamilton, Jane 

Sent: Thursday, May 01, 2003 1:00 PM 

To: Fernandes, Cliff 

Cc: Dragon Team 

Subject: RE: IPS future 

We haven't really had a chanoe to evaluate it but may be looking at it in 
the near future. 

— Original Message 

From: Fernandes, Cliff 

Sent: Thursday, May 01, 2003 1:53 PM 

To: Hamilton, Jane 

Cc: Dragon Team 

Subject: RE: IPS future 

Thank you Jane. I will continue to use those avenues. There was a 

partner in China or Japan that had worked on an IPS for/with us a while 

back and we were going to test that internally. Is that still ongoing or did 

It not pan out? 

Thanks 

Cliff 

— Original Message — 

From: Hamilton, Jane 

Sent: Thursday, May 01, 2003 1:43 PM 

To: Fernandes, Cliff; Dragon Team 

Subject: RE: IPS future 

We address Host IPS in the roadmap presentation on the intranet site. 
We also discuss Active response, our current solution for Network IPS. 
Further review of network IPS is being discussed now as part of our 7.0 
planning. Plus we In the process with Toronto of developing a Router, 
FW, VPN, limited IDS device that is planned to provide Network IPS in a 
couple of ways. That Is most likely included on the XSR roadmap. 
Regards, 
Jane 

— Original Message — 

From: Fernandes, Cliff 

Sent: Thursday, May 01, 2003 1:17 PM 

To: Dragon Team 

Subject: IPS future 

Hello, I have a customer looking for information regarding our IPS 
strategy. Do we have anything that a customer under NDA can have 
access to for thier security planning? 
Thanks 

Cilff Fernandes 
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EXHIBIT 
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UPN IPS script 






runs against 






results file to 






respond to attack 








Optional functionality: 
1) Provide "Clean Up" feature that 



return the network to Hs original configuration. 
A) Requires UPN scripts to retrieve 
current port poliqr / conflguration to 
provide regression 
2) System should provide Policy Maneger/ Dragon 
integration so UPN IPS script knows what is the 
default Penalty BoxPolicy. 



Other options may include 
disabling 802.1x 
authentication for the user, 
create global classlfloatioft 
rule to deny aocess for 
suspicious RAAC, ete. 



Ths log file contains the 
event detail received by the 
UPN 80lpt from Dragon and 
the response data with pott, 
swKdi, response type, user 
name, etc. 
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#! /usr/bin/perl 

# Mod date 8/4/03 

# New: 

# Features: 

# Input from CLi: [useriP, SwitchiP, comm string, protocol and port] 

# Output: [Interface #, MAC, TargetlP, switchipj into logfile 

# And SNMP set of rule to kill the service... 

# 

CSxTargetiP, SoestlP, $Proto, $Port, $EventName, Ssensor) « @ARGV; 

SxswitchiP = "10.10.10.252^'; # static setting for test... vs. reading a file 

Sxcommstring = "public"; 

SResponse = 'upn-service' ; 

if ($Proto == 0) { SxProto = 'TCP'; } 

# Here we remove the C.)s from the TargetlP data.... 
$x = '0'; 

for ($_ = SxTargetiP; 
s/\./ /;) { 
$x = $x + 1; 
$IP = $„; 

ifCSx 3) 

{$TargetiP = $ip; 

# End TargetlP cleanup 

# 

# section 0, Var and file definitions 

# 




# Switch IP address = SxSwitchiP Switch addressCs) [may be multiple] 

# Switch community = Sxcommstring Community string 

# Target IP address = SxTargetiP The user you are looking for 

# Node Alias file = nodealias.txt initial info return from switch 

# Cleaned Alias file = Userlnfo.txt cleaned nodealias.txt 

# Final Log file = DragonLog.txt IP/mac/switch/name/port 

# Protocol TCP/UDp = $proto 

# PortCs) = $port 



# 

# section 1, get node alias table 
# 



#$switchiP = SxswitchiP; 

use Net: : SNMP Cqw(snmp_event_loop oid_lex_sort)) : 

use vars qw($session Serror Sresult SsysupTime Stableloop Sresponse Sobject); 
Sresult = 'null' ; 

CSsession, Serror) = Net ; :SNMP->5essionC 

-hostname => SxSwitchIP, 

-community => SxCommString, 
^ ^ -port => 161 

if (! defined CSsession)) { 

printfC"Errorl: %s.\n", Serror); 
exit 1; 

} 

Sobject = "1.3.6.1.4.1.52.4.1.3.7.1.1.1"; 
# This is the Node Alias OiD 
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Final UPN02 

# Sobject = "1.3.6.1.4.1.5624.1.2.6.1.4.0"; Policy MIB, next avail policy index 
#. . . print "\n" J 

Sresult = $session->get_table($object) ; 
if CIdefinedCSresult)) { 

^rintf C"Error2 on get request: %s.\n", $session->error) ; 

# Here we need to loop through the table that we just read. 
Stable = @„; 

Snext = "null"; 

foreach $oid (oid_lex_sortCkeys(%{$session->var_bind_list}))) 

if CSObject ne $oid) { 
Snext ~ $oid; 

$table->{$oid} = $session->var_bind_list->{$oid}; 

else { 

$next = undef ; 
last; } 

} 

# Here we copy the output to a text file 

open (OUT, '>nodealias.txt') or die "couldn't open text file...\n"; 

foreach $oid Coid_lex„sort(keysC%{ Stable}))) { 
ifCSoid ne ""){ 

print OUT C"$oid,$table-><$oid}\n") ; 

# X printfC'Sfis %s\n", Soid, $table->{Soid}) ; 
} #end if 

} # end foreach 

$session->close; 
close (OUT); 



# 

# Section 2, Search for the IP address and get the hash code, clean up. 
#. 

# USING HASH CODE found in the table... 

# our list to hold the alias table... 

# X print "Target user IP is ... SxTargetiP \n"; 

open (HASHIN, "nodealias.txt") or die "Where's the file...?\n"; 
whileC<HASHIN>) { 

STheRec = $_; 

if($TheRec ne "") { 

chomp (STheRec) ; 

(Skey, $val) = split(/,/, STheRec, 2); 

# This splits our alias table into two parts, Key and value 
if(defined($val)){ # is the Sval wacky? 

ifCSval eq STargetIP) 

# Here we seach on the IP. . . [STargetiP] 

open (ALIASTABLE, '>cleaned.txt') or die "no file...\n"; 
@newval = (Skey); 

Si = '0'; 

# X print "The variable is Skey ...\n\n"; 

for ($_ = Skey; s/\./,/;) 

{# Here we replace the . with a comma (,)... 
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$i = $i + 1; 
SFinalSort = $_; 
©HASH = C$FinalSort) ; 

} # end if statement 
else { 

# print "Jumped to the else side... oops. . .\n\n" ; 
} # end else 

} # end if 
} # end if 

} # end while 

# 

# Next get hash code from Finalsort elements 17,18... 

# Then you need to split the one item string into many strings /,/ ...! 

OHash = splitC/,/, SFinalSort); 
$Hashnumberl = $Hash[16]; 
$Hashnumber2 = $Hash[17]; 

# NOW you have the Hash variables... 
close Chashin); 

close (ALIASTABLE) ; 

#. . . systemC'rm -f Userlnfo.txt'); 

# NOW we use the hash code to search the original nodealias file to get 

# the port /mac/name of our target IP.., 

# So we re-open the nodealias file... 

©Hash = (); 

open (RESORT, 'nodealias.txt') or die "No file found... \n"; 

whileC<RESORT>) { 

$n = '0': 

$Line = $_; 

chomp($Line) ; 

if C$Line ne "") { 

CSkeyl, Svall) = splitC/,/, $Line, 2); 
for ($_ = $keyl; s/\. /,/;){ 
$ Final = 

©Hash = C$Final); 

$n = $n + 1; # this walks the line intil the end... 
if C$n eq "19') { 
$n = 'O'j } 

^ ®Listl = splitC/,/, SFinal); 

if ($Listl[16] eq SHashnumberl) 

system ('touch Userlnfo.txt'); 

open (USER, '»userinfo.txt';) or die "File not found... \n"; 
# could check Svall to see if it's wacky... and drop it ??? 
ifCdefined($vall)) { 
print USER "SFinal, Svall \n"; 
print "SFinal Svall \n"; 
} # end if 

} # end while 

# ok, you have the info now in userlnfo.txt, so let's clean it up and display it 
close (RESORT); 

close (USER); 
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open (USER, 'userlnfo.txt') or die "File not found. . .190. . . 
Userlnfo.txt. An"; 

whileC<USER>) { 
$Line = $„; 
chompC$Line) ; 
@Lin = splitC/,/. $Line); 
if ($Lin[15] eq ■3') { 
$interface = $Lin[18];} 
if C$Lin[15] eq '4') { 
$Mac = $Lin[18];} 

# output section 

#print "interface is $lnterf ace\n" ; 

#print "MAC is $Mac\n"; 

#print "User IP address is. $xTargetiP\n" ; 

#print "switch IP is $xSwitchlP\n" ; 

#print "Protocol is $Proto\n"; 

#print "Port Number is $Port\n"; 

#print "\n"; 

#print "End of Program. . .\n\n" ; 

# Finaly, we write this to a log file with a time/date stamp.... 

C$Sec, $Min, $Hr, $DayofMonth, $Month, $Yr, $weekday, %DayofYr, $isDST) = 
local time (time) ; 
$Real Month = $Month + 1; 
$FullYr = $Yr + 1900; 

open (LOG, '»LogFile.txt') or die "Couldn't open LogFile... \n"; 
print LOG 

^\n 

Time-Date $Hr:$Min:$sec $RealMonth-$DayofMonth-$FullYr 

user IP address is $xTargetlP 

user MAC is $Mac 

switch IP is SxSwitchiP 

Switch port is Sinterface 

Protocol is SProto 

Port number is $Port\n"; 

close (LOG); 

# 

# section 3 SNMPset 

# Here we use the Switch/Port data from section2 with the Proto/Port data 

# from Dragon to build the discard rule and apply it to the switch/port. We will 

# then update the log file... 

# , 

# The process 

# 1) Create the discard vain 

# 2) create the rule (assign ports here as well!) 

# 3) Enable rule... 



# This is the clever secret decoder ring section 

# Mapping the physical ports to their binary postions gives the following !!1 

# 



# 


Hex 


code 


position 


port* 


# 


80 


\200 


lOOOOOOO 


1 


# 


40 


\® 


01000000 


2 


# 


20 


\"blank" 


00100000 


3 


# 


10 


\020 


00010000 


4 
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# 


08 


\b 


# 


04 




# 


02 




# 


01 




# 


00 


\0 


# 
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00001000 5 
00000100 6 
00000010 7 
00000001 8 
00000000 null 

# Use these valuse to set the ingressPortList values 

# NOW, how do we map the 'ifs' number into the code???? 

# what if we divided the number by 8, with the remainder = the code 

# and the leading port groups (8) get a zero 

# Also, this will over-write what ever was there, so we might need to be 

# able to read the current values and save them...? If so, that would make the 

# code(s) messy. . . 

use Net: :SNMP; 

use vars qwCSsession $error Sresult Sclassvar $vlanclasslist) ; 

CSsession, $error) = Net: :SNMP->sessionC 
-hostname =»> SxSwitchiP, 

-coinmunity => $xcommstring, 
-port -> 161); 

if C!defined($session)) { 

printfC'Errorl on session creation: %s.\n". Serror); 
exit 1; } 

# we will need to setup the 'instance' and 'value' vars to feed into the 

# We need to read the $Proto and then load the correct $Protox value... 

# 

# Enterasys Classification Numbers 

# 

#01 etherrypeCD 

#02 llcD5apSsapC2) 

#03 ipTypeofserviceCB) 

#04 ipProtocolTypeC4) 

#05 ipxClassofserviceCS) 

#06 ipxPacketTypeCS) 

#07 ipAddressSourceC7) 

#08 ipAddressDesti nation (8) 

#09 ipAddressBi lateral (9) 

#10 ipxNetworksourceClO) 

#11 ipxNetworkDesti nation Cll) 

#12 ipxNetworkBi lateral (12) 

#13 ipudpPortsourceC13) 

#14 ipudpPortDesti nation (14) 

#15 ipUdpPortBi lateral (15) 

#16 ipTcpPortSource(16) 

#17 ipTcpPortDesti nation (17) 

#18 i pTcpPortBi 1 ateral (18) 

#19 ipxSocketSource(19) 

#20 ipxsocketDesti nation (20) 

#21 i pxSocketBi 1 ateral (21) 

#22 macAddressSource(22) 

#23 macAddressDestination(23) 

#24 macAddressBi lateral (24) 

# , 



if (SxProto eq TCP) {$Protox = '18';} 
elsif ($xProto eq UDP) {$Protox = '15';} 

$vlan = '4000'; # This is the default discard viD, we could change this.. 
$Port2 = '0'; # End of range port number... 0 if not used... 
Svlanclass = "1.3.6.1.4.1.52.4.1.2.16.6.1.4.1.5.$vlan.$Protox.$Port.$Port2" 
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SvlancreateOID = "1.3.6.1.2.1.17.7.1.4. 3.1.1. $vlan" ; 
$vTanName = "Discard"; 

SvlanDiscard = $session->set_request CSvTancreateOlD, 0CTET_STRING , $vlanName); 

# print "New discard vlan info... \n SvlancreateoiD and $vlanName\n"; 
SenableDiscardOiD = "1.3.6.1.2.1.17.7.1.4.3.1.5.$v1an"; 
SvlanDiscardEnable = $session->set_request (SenableDiscardolD, integer, 1); 

# $vlanclasslist = '1.3.6.1.4.1.52.4.1.2.16.6.1.4.1.5.4000.18.80.0'; 

# Here is where we need to convert the ifs number $Interface into a set code... 

# use the divide by 8 and all will be well... 

# Sclassvar will be of a different length for different switches. .. T 24/36/48 

# And then there are the ISLS... how to filter these out... 52.4.1.3.7.1.1.4.3.1.1 

$block = intC$interface / 8); #Gives the rounded down integer 
$rem = ($interface % 8); #Gives the reraainer 

# Notice that the active block is at the [block+1] position ! 

# Begin the if this port then that code section... 
'* {Sremvar = "\200";} 

{$remvar = "\®";} 

'$remvar = "\ ";} 

,$remvar = "\020";} 

Sremvar « "\b";} 

$remvar = "\4";> 

|$remvar = "\2";} 

Sremvar = "\1";} 

# blank block filler... meaning that the value is zero. 
$f="\0"; 

# Need to correct for a zero remainer when on a bit boundry... 

# 

if CSrem == 0) {Sblock = $block - 1; 

Sclassvar = "$remvar";} 
Sclassvar = "$f Sremvar" ; } 
Sclassvar = "$f$f$remvar" ;} 
Sclassvar = "$f$f$f Sremvar";} 
Sclassvar = "$f$f$f$f$r€mvar";} 
.Sclassvar = "$f$f$f$f$f Sremvar";} 
} # end if 

"Sremvar";} 
"SfSremvar";} 
"$f$f$remvar";} 
"$f$f$f$remvar'';> 
"$f$f$f$f$remvar'';} 
"$f$f$f$f$f$remvar";} 
} # end else reloop the above code block... 

# 

#... print "Blank blocks are... Sblock and the port is. . .$rera\n": 
#... print "ctVlanClassifyingressList value is. . .\nSvlanclass\n ; 

print "Testvars... Svlan, SProtox, $Port, $Port2 \n"; 
Sresult = $session->set_request ( 

Svlanclass, octet_STRING, Sclassvar); 
Srowoid = "1.3.6.1.4.1.52.4.1.2.16.6.1.4.1.6.$vlan.SProtox.$Port.$Port2"; 
SRowstatus = Ssession -> set_request (SRowOlD, integer, 1); 
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if 


(Sblock 




0) {: 


elsif 


(Sblock 




1) {: 


elsif 


(Sblock 




2) {! 


elsif 


(Sblock 




3) {: 


elsif 


(Sblock 




4} {: 


elsif 


(Sblock 




5) {! 
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if C!definGdC$result)) { 

printf ("Errors on result in vlanclass set: 3Ss.\n", $session->error) ; 

$session->close; 

exit 1; } 

# If no errors, then the filter was set, so update the log file for Dragon 
open (DRAGONLOG, '>>>DragonLog.txt') or die "couldn't open LogFile... \n"; 

print DRAGONLOG 

''$Hr:$Min:$sec $RealMonth-$DayofMonth-$FullYr : $xTargetIP: $DestIP: $Mac: 
SxswitchiP: $interface: $Proto: $Port: SEventName : Ssensor: $Response\n" ; 
close Cdragonlog); 

$session->close; 

exit 0; 
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